Skip to content

Commit

Permalink
Error out early on an expired token
Browse files Browse the repository at this point in the history
Fixes #12131

If we hit an expired token there is no need to continue checking. Since
we know it is a token.

We also should not register this with the bruteforce throttler as it is
actually a valid token. Just expired. Instead the authentication should
fail. And buisness continues as usual.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
  • Loading branch information
rullzer committed Oct 30, 2018
1 parent 360d7b9 commit 66c9507
Showing 1 changed file with 11 additions and 1 deletion.
12 changes: 11 additions & 1 deletion lib/private/User/Session.php
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
namespace OC\User;

use OC;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
Expand Down Expand Up @@ -401,7 +402,13 @@ public function logClientIn($user,
$this->manager->emit('\OC\User', 'preLogin', array($user, $password));
}

$isTokenPassword = $this->isTokenPassword($password);
try {
$isTokenPassword = $this->isTokenPassword($password);
} catch (ExpiredTokenException $e) {
// Just return on an expired token no need to check further or record a failed login
return false;
}

if (!$isTokenPassword && $this->isTokenAuthEnforced()) {
throw new PasswordLoginForbiddenException();
}
Expand Down Expand Up @@ -474,11 +481,14 @@ protected function isTwoFactorEnforced($username) {
*
* @param string $password
* @return boolean
* @throws ExpiredTokenException
*/
public function isTokenPassword($password) {
try {
$this->tokenProvider->getToken($password);
return true;
} catch (ExpiredTokenException $e) {
throw $e;
} catch (InvalidTokenException $ex) {
return false;
}
Expand Down

0 comments on commit 66c9507

Please sign in to comment.